Bug#785595: WebIDE downloads and launches adb binary without prompting; subsequently runs at Firefox startup
Josh Triplett
josh at joshtriplett.org
Mon May 18 06:24:38 UTC 2015
Package: iceweasel
Version: 38.0-2
Severity: grave
Tags: upstream
I opened up the developer menu in Firefox 38, and saw the new "WebIDE".
I opened that up to take a look at it, and then closed it, without
running anything else.
That action alone apparently caused Firefox to silently download the
"ADB Helper" and "Valence" extensions in the background (see extension
list below), install them without prompting, and run them. That in turn
downloaded and ran a pre-compiled adb binary in the background (which
Firefox launches at startup).
While it's potentially acceptable to *optionally* install such
extensions on user request, or even prompt to install them, silently
doing so without user consent in response to opening WebIDE (and doing
absolutely nothing with it) is definitely not OK.
This is upstream bug
https://bugzilla.mozilla.org/show_bug.cgi?id=1114380
- Josh Triplett
-- Package-specific info:
-- Extensions information
Name: ADB Helper
Location: ${PROFILE_EXTENSIONS}/adbhelper at mozilla.org
Status: enabled
Name: Adblock Plus
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
Package: xul-ext-adblock-plus
Status: enabled
Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
Name: HTTPS-Everywhere
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/https-everywhere at eff.org
Package: xul-ext-https-everywhere
Status: enabled
Name: It's All Text!
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/itsalltext at docwhat.gerf.org
Package: xul-ext-itsalltext
Status: enabled
Name: Valence
Location: ${PROFILE_EXTENSIONS}/fxdevtools-adapters at mozilla.org
Status: enabled
-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled
Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled
-- Addons package information
ii gnome-shell 3.14.4-1 amd64 graphical shell for the GNOME des
ii iceweasel 38.0-2 amd64 Web browser based on Firefox
ii rhythmbox-plug 3.2.1-1 amd64 plugins for rhythmbox music playe
ii xul-ext-adbloc 2.6.9+dfsg-2 all advertisement blocking extension
ii xul-ext-https- 4.0.3-1 all extension to force the use of HTT
ii xul-ext-itsall 1.9.1-2 all extension to edit textareas using
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.0.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages iceweasel depends on:
ii debianutils 4.5
ii fontconfig 2.11.0-6.3
ii libasound2 1.0.28-1
ii libatk1.0-0 2.16.0-2
ii libc6 2.19-18
ii libcairo2 1.14.2-2
ii libdbus-1-3 1.8.18-1
ii libdbus-glib-1-2 0.102-1
ii libevent-2.0-5 2.0.21-stable-2
ii libffi6 3.1-2+b2
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-4
ii libgcc1 1:5.1.1-5
ii libgdk-pixbuf2.0-0 2.31.1-2+b1
ii libglib2.0-0 2.44.0-3
ii libgtk2.0-0 2.24.25-3
ii libhunspell-1.3-0 1.3.3-3
ii libnspr4 2:4.10.8-1
ii libnss3 2:3.19-1
ii libpango-1.0-0 1.36.8-3
ii libsqlite3-0 3.8.10.1-1
ii libstartup-notification0 0.12-4
ii libstdc++6 5.1.1-5
ii libvpx2 1.4.0-3
ii libx11-6 2:1.6.3-1
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxrender1 1:0.9.8-1+b1
ii libxt6 1:1.1.4-1+b1
ii procps 2:3.3.9-9
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages iceweasel recommends:
ii gstreamer1.0-libav 1.4.4-2
ii gstreamer1.0-plugins-good 1.4.5-2+b1
Versions of packages iceweasel suggests:
pn fonts-mathjax <none>
pn fonts-oflb-asana-math <none>
pn fonts-stix | otf-stix <none>
ii libcanberra0 0.30-2.1
ii libgnomeui-0 2.24.5-3
ii libgssapi-krb5-2 1.12.1+dfsg-20
pn mozplugger <none>
-- no debconf information
More information about the pkg-mozilla-maintainers
mailing list